This advisory describes how the upstream MongoDB vulnerability “MongoBleed” (CVE‑2025‑14847) affects TP‑Link Omada Controllers, the conditions under which exposure may occur, and the recommended remediation steps.
Vulnerability Description and Impacts:
MongoBleed (CVE‑2025‑14847) is a critical, unauthenticated memory disclosure vulnerability in MongoDB’s handling of zlib‑compressed network messages. This upstream flaw may lead to leakage of uninitialized heap memory, potentially leakin sensitive information.
CVSS v4.0 Score: 8.7 / High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Are Omada Controllers Affected?
Omada controllers are affected only under specific deployment conditions.
You MAY be affected if ANY of the following are true:
- The controller is deployed in cluster mode.
- The MongoDB binding has been manually modified in omada.properties by changing “eap.mongod.host” from the default 127.0.0.1 to a wider or externally accessible interface.
- For Linux Software Controllers, you are using a self‑deployed MongoDB, and
- The version is vulnerable, and
- MongoDB listening on an external interface.
If NONE of these conditions apply:
- Risk exposure is limited, and default deployments are NOT exploitable.
Cloud-based controllers are NOT affected.
Affected Versions:
|
Products |
Affected Versions |
|
Hardware Controllers |
|
|
OC200 V1 |
< OC200_V1_1.38.9 / Omada SDN 6.1.0 |
|
OC200 V2 |
< OC200_V2_2.23.9 / Omada SDN 6.1.0 |
|
OC220 V1 |
< OC220_V1_1.3.9 / Omada SDN 6.1.0 |
|
OC220 V2 |
< OC220_V2_2.2.5 / Omada SDN 6.1.0 |
|
OC300 V1 |
< OC300_V1_1.32.9 / Omada SDN 6.1.0 |
|
OC400 V1 |
< OC400_V1_1.10.9 / Omada SDN 6.1.0 |
|
Software Controllers |
|
|
Omada Network Application (Windows) |
< v6.1.0.18 |
|
Omada Network Application (Linux) |
Depends on user‑deployed MongoDB |
Affected Conditions Summary:
Hardware Controllers or Windows Software Controllers
- Not exploitable under default deployment settings.
- Your deployment may be affected if:
- Cluster mode is enabled, OR
- eap.mongod.host was manually changed to expose MongoDB externally.
Linux Software Controllers
- Impact depends on the self-deployed MongoDB version.
- You must check:
- The MongoDB version you installed
- Whether MongoDB is exposed externally
- Whether zlib compression is enabled
Recommendations and Remediation:
-
Upgrade to a Remediated Version (Recommended)
If you use hardware controllers deployed in cluster mode, upgrading is strongly recommended.
-
The following Omada SDN 6.1.0 pre-release builds include the fix:
Hardware Controllers:
OC200(UN)_V1_1.38.9_pre-release > Built-in Omada SDN Controller 6.1.0
OC200(UN)_V2_2.23.9_pre-release >Built-in Omada SDN Controller 6.1.0
OC220(UN)_V1_1.3.9_pre-release > Built-in Omada SDN Controller 6.1.0
OC220(UN)_V2_2.2.5_pre-release > Built-in Omada SDN Controller 6.1.0
OC300(UN)_V1_1.32.9_pre-release > Built-in Omada SDN Controller 6.1.0
OC400(UN)_V1_1.10.9_pre-release (Built-in Omada SDN Controller 6.1.0)
Software Controllers:
Omada_Network_Application_v6.1.0.18 Windows (Windows 10/11/Server, 64-bit Recommended)
Omada_Network_Application_v6.1.0.18_linux_x64.tar.gz
Omada_Network_Application_v6.1.0.18_linux_x64.deb
You may also visit the Business Community pages for the latest pre-release firmware.
-
Temporary Mitigation (If you cannot upgrade yet):
Add the following to eap.mongod.args in properties/omada.properties:
--networkMessageCompressors snappy
This disables zlib compression and prevents MongoBleed exploitation.
- Linux Controllers with Self-Deployed MongoDB:
You must upgrade MongoDB using the official MongoDB guidance:
https://jira.mongodb.org/browse/SERVER-115508
MongoDB fixed versions include:
8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30
Upgrade Notes:
- Minor version upgrades (e.g., 7.0.14 → 7.0.28) → No compatibility issues.
- Cross-major upgrades (e.g., 3.6 → 4.4) → Follow required additional steps below:
Refer to Omada upgrade FAQs for guidance
https://www.omadanetworks.com/us/support/faq/4398/
https://www.omadanetworks.com/us/support/faq/4160/
Disclaimer:
If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.
